[ 
https://issues.apache.org/jira/browse/DRILL-7250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16843868#comment-16843868
 ] 

ASF GitHub Bot commented on DRILL-7250:
---------------------------------------

vvysotskyi commented on pull request #1792: DRILL-7250: Query with CTE fails 
when its name matches to the table name without access
URL: https://github.com/apache/drill/pull/1792#discussion_r285537110
 
 

 ##########
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/planner/sql/SqlConverter.java
 ##########
 @@ -280,12 +280,10 @@ protected void validateFrom(
             changeNamesIfTableIsTemporary(tempNode);
 
             // Check the schema and throw a valid SchemaNotFound exception 
instead of TableNotFound exception.
-            if (catalogReader.getTable(tempNode.names) == null) {
-              catalogReader.isValidSchema(tempNode.names);
-            }
+            catalogReader.isValidSchema(tempNode.names);
 
 Review comment:
   Good question, when it is set in the constructor or using a setter of 
`SqlIdentifier` class, it cannot be null, since there is used 
`ImmutableList.copyOf()` method for incoming lists. But this field is public 
and may be changed in some other places (I didn't find any place where it is 
set to null in the current Drill and Calcite code).
   
   Since Calcite's `SqlIdentifier` code does not assume that `names` may be 
null (there is a lot of code where this field is used without checks), I think 
we should also do not check it.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Query with CTE fails when its name matches to the table name without access
> ---------------------------------------------------------------------------
>
>                 Key: DRILL-7250
>                 URL: https://issues.apache.org/jira/browse/DRILL-7250
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Volodymyr Vysotskyi
>            Assignee: Volodymyr Vysotskyi
>            Priority: Major
>             Fix For: 1.17.0
>
>
> When impersonation is enabled, and for example, we have {{lineitem}} table 
> with permissions {{750}} which is owned by {{user0_1:group0_1}} and 
> {{user2_1}} don't have access to it.
> The following query:
> {code:sql}
> use mini_dfs_plugin.user0_1;
> with lineitem as (SELECT 1 as a) select * from lineitem
> {code}
> submitted from {{user2_1}} fails with the following error:
> {noformat}
> java.lang.Exception: org.apache.hadoop.security.AccessControlException: 
> Permission denied: user=user2_1, access=READ_EXECUTE, 
> inode="/user/user0_1/lineitem":user0_1:group0_1:drwxr-x---
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:317)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:229)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:199)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1752)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1736)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPathAccess(FSDirectory.java:1710)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirStatAndListingOp.getListingInt(FSDirStatAndListingOp.java:70)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getListing(FSNamesystem.java:4432)
>       at 
> org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getListing(NameNodeRpcServer.java:999)
>       at 
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getListing(ClientNamenodeProtocolServerSideTranslatorPB.java:646)
>       at 
> org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
>       at 
> org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:616)
>       at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:982)
>       at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2217)
>       at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2213)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at javax.security.auth.Subject.doAs(Subject.java:422)
>       at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1746)
>       at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2213)
>       at .......(:0) ~[na:na]
>       at 
> org.apache.drill.exec.util.FileSystemUtil.listRecursive(FileSystemUtil.java:253)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.util.FileSystemUtil.list(FileSystemUtil.java:208) 
> ~[classes/:na]
>       at 
> org.apache.drill.exec.util.FileSystemUtil.listFiles(FileSystemUtil.java:104) 
> ~[classes/:na]
>       at 
> org.apache.drill.exec.util.DrillFileSystemUtil.listFiles(DrillFileSystemUtil.java:86)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.FileSelection.minusDirectories(FileSelection.java:178)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.detectEmptySelection(WorkspaceSchemaFactory.java:669)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.create(WorkspaceSchemaFactory.java:633)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.create(WorkspaceSchemaFactory.java:283)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.ExpandingConcurrentMap.getNewEntry(ExpandingConcurrentMap.java:96)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.ExpandingConcurrentMap.get(ExpandingConcurrentMap.java:90)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.getTable(WorkspaceSchemaFactory.java:439)
>  ~[classes/:na]
>       at 
> org.apache.calcite.jdbc.SimpleCalciteSchema.getImplicitTable(SimpleCalciteSchema.java:83)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.jdbc.CalciteSchema.getTable(CalciteSchema.java:286) 
> ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorUtil.getTableEntryFrom(SqlValidatorUtil.java:1046)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorUtil.getTableEntry(SqlValidatorUtil.java:1003)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.prepare.CalciteCatalogReader.getTable(CalciteCatalogReader.java:120)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.drill.exec.planner.sql.SqlConverter$DrillCalciteCatalogReader.getTable(SqlConverter.java:741)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.SqlConverter$DrillValidator.validateFrom(SqlConverter.java:283)
>  ~[classes/:na]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateSelect(SqlValidatorImpl.java:3302)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SelectNamespace.validateImpl(SelectNamespace.java:60)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.AbstractNamespace.validate(AbstractNamespace.java:84)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateNamespace(SqlValidatorImpl.java:977)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateQuery(SqlValidatorImpl.java:953)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.WithNamespace.validateImpl(WithNamespace.java:57)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.AbstractNamespace.validate(AbstractNamespace.java:84)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateNamespace(SqlValidatorImpl.java:977)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateWith(SqlValidatorImpl.java:3750)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at org.apache.calcite.sql.SqlWith.validate(SqlWith.java:71) 
> ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateScopedExpression(SqlValidatorImpl.java:928)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validate(SqlValidatorImpl.java:632)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.drill.exec.planner.sql.SqlConverter.validate(SqlConverter.java:212)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.handlers.DefaultSqlHandler.validateNode(DefaultSqlHandler.java:663)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.handlers.DefaultSqlHandler.validateAndConvert(DefaultSqlHandler.java:200)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.handlers.DefaultSqlHandler.getPlan(DefaultSqlHandler.java:173)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.DrillSqlWorker.getQueryPlan(DrillSqlWorker.java:226)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.DrillSqlWorker.convertPlan(DrillSqlWorker.java:133)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.DrillSqlWorker.getPlan(DrillSqlWorker.java:90)
>  ~[classes/:na]
>       at org.apache.drill.exec.work.foreman.Foreman.runSQL(Foreman.java:593) 
> ~[classes/:na]
>       at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:276) 
> ~[classes/:na]
>       at .......(:0) ~[na:na]
> {noformat}
> It should pass since table {{lineitem}} is not used in the query, but Drill 
> is trying to access this table.
> Partially this problem is caused by CALCITE-3061 and the way how Drill 
> determines whether the schema is valid.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to